[ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header
Vojtech Szocs
vszocs at redhat.com
Tue Jul 15 17:06:19 UTC 2014
Hi guys,
please be advised, patch for master [1] as well as ovirt-engine-3.5 [2]
branch was merged recently. This patch enables CSRF (Cross-Site Request
Forgery) protection for REST API session acquired by WebAdmin UI plugin
infrastructure.
If you maintain UI plugin(s) and utilize "RestApiSessionAcquired" event
handler function, i.e. your UI plugin (JavaScript) calls Engine directly
or you pass the session ID to some other system which calls Engine, make
sure that any request to Engine contains both:
* JSESSIONID cookie (as today)
* JSESSIONID request header (this is new)
For CSRF-protected session [3], REST API backend compares these values
and if not successful, it responds with HTTP 403 (Forbidden) which will
break the communication with Engine.
As mentioned above, this applies to all UI plugins deployed on Engine
WebAdmin version 3.5 and later.
In order to stay compatible with older (unpatched) UI plugins, we could
introduce some Engine config parameter to control whether the REST API
session for UI plugins should use CSRF protection or not.
[1] http://gerrit.ovirt.org/#/c/29682/
[2] http://gerrit.ovirt.org/#/c/29850/
[3] details in commit message of http://gerrit.ovirt.org/#/c/29849/
Regards,
Vojtech
More information about the Devel
mailing list